cvedb.io
CVE-2026-41318
MEDIUM · CVSS 5.4
EPSS exploitation probability: 0%
Published 2026-04-24T04:16:20.193 · Last modified 2026-06-17T10:46:29.907

Summary

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to version 1.12.1, AnythingLLM's in-chat markdown renderer has an unsafe custom rule for images that interpolates the markdown image's `alt` text into an HTML `alt="..."` attribute without any HTML encoding. Every call-site in the app wraps `renderMarkdown(...)` with `DOMPurify.sanitize(...)` as defense-in-depth — except the `Chartable` component, which renders chart captions with no sanitization. The chart caption is the natural-language text the LLM emits around a `create-chart` tool call, so any attacker who can influence the LLM's output — most cheaply via indirect prompt injection in a shared workspace document, or directly if they can create a chart record

Affected products

mintplexlabs — anythingllm

Does this affect you?

Add your gear to cvedb and we'll alert you only when mintplexlabs ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.